|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2007-10-05 11:50 UTC] rrichards@php.net
[2007-10-05 23:18 UTC] felipensp at gmail dot com
[2007-10-06 00:06 UTC] jani@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri Dec 27 03:01:28 2024 UTC |
Description: ------------ Xpath cause buffer overflow when function not found in predicate. Reproduce code: --------------- <?php $source = file_get_contents('http://visualjquery.com/1.1.2.html'); $xml = new SimpleXMLElement($source); $entries = $xml->xpath('//h1[.=foo()]'); Expected result: ---------------- Only messages errors. Actual result: -------------- felipe@bl4ck:~/public_html$ php test.php Warning: SimpleXMLElement::xpath(): xmlXPathCompOpEval: function foo not found in /home/felipe/public_html/test.php on line 5 Warning: SimpleXMLElement::xpath(): Unregistered function in /home/felipe/public_html/test.php on line 5 Warning: SimpleXMLElement::xpath(): xmlXPathEval: 2 object left on the stack in /home/felipe/public_html/test.php on line 5 *** glibc detected *** php: corrupted double-linked list: 0x084afa90 *** ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6[0xb7d2db2a] /lib/tls/i686/cmov/libc.so.6[0xb7d2f50f] /lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7d32e30] /usr/lib/libxml2.so.2(xmlDictFree+0xec)[0xb7eec17c] /usr/lib/libxml2.so.2(xmlFreeDoc+0x1b9)[0xb7e4d8f9] php(php_libxml_decrement_doc_ref+0x46)[0x808b3f6] php[0x8161faa] php(zend_objects_store_del_ref_by_handle+0x179)[0x828fce9] php(zend_objects_store_del_ref+0x18)[0x828fd28] php(_zval_ptr_dtor+0x4f)[0x8267fef] php[0x827db38] php(zend_hash_reverse_apply+0x57)[0x827dc27] php(shutdown_destructors+0x50)[0x8267f50] php(zend_call_destructors+0x30)[0x8274400] php(php_request_shutdown+0x268)[0x8233c18] php(main+0x36d)[0x82ebfed] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb7cddebc] php(xmlTextReaderConstName+0x145)[0x808a611] ======= Memory map: ======== 08048000-0839c000 r-xp 00000000 03:01 5360941 /usr/local/bin/php 0839c000-083b9000 rw-p 00354000 03:01 5360941 /usr/local/bin/php 083b9000-08618000 rw-p 083b9000 00:00 0 [heap] b7a00000-b7a21000 rw-p b7a00000 00:00 0 b7a21000-b7b00000 ---p b7a21000 00:00 0 b7b97000-b7c18000 rw-p b7b97000 00:00 0 b7c18000-b7c1f000 r--s 00000000 03:01 5194177 /usr/lib/gconv/gconv-modules.cache b7c1f000-b7c5a000 r--p 00000000 03:01 5242899 /usr/lib/locale/pt_BR.utf8/LC_CTYPE b7c7b000-b7c86000 r-xp 00000000 03:01 2261088 /lib/libgcc_s.so.1 b7c86000-b7c87000 rw-p 0000a000 03:01 2261088 /lib/libgcc_s.so.1 b7c87000-b7c8b000 r-xp 00000000 03:01 2294771 /lib/tls/i686/cmov/libnss_dns-2.5.so b7c8b000-b7c8d000 rw-p 00003000 03:01 2294771 /lib/tls/i686/cmov/libnss_dns-2.5.so b7c8d000-b7c96000 r-xp 00000000 03:01 2294772 /lib/tls/i686/cmov/libnss_files-2.5.so b7c96000-b7c98000 rw-p 00008000 03:01 2294772 /lib/tls/i686/cmov/libnss_files-2.5.so b7c98000-b7c9a000 rw-p b7c98000 00:00 0 b7c9b000-b7c9c000 rw-p b7c9b000 00:00 0 b7c9c000-b7caf000 r-xp 00000000 03:01 5178599 /usr/lib/libz.so.1.2.3 b7caf000-b7cb0000 rw-p 00012000 03:01 5178599 /usr/lib/libz.so.1.2.3 b7cb0000-b7cc3000 r-xp 00000000 03:01 2294778 /lib/tls/i686/cmov/libpthread-2.5.so b7cc3000-b7cc5000 rw-p 00013000 03:01 2294778 /lib/tls/i686/cmov/libpthread-2.5.so b7cc5000-b7cc8000 rw-p b7cc5000 00:00 0 b7cc8000-b7e03000 r-xp 00000000 03:01 2294471 /lib/tls/i686/cmov/libc-2.5.so b7e03000-b7e04000 r--p 0013b000 03:01 2294471 /lib/tls/i686/cmov/libc-2.5.so b7e04000-b7e06000 rw-p 0013c000 03:01 2294471 /lib/tls/i686/cmov/libc-2.5.so b7e06000-b7e09000 rw-p b7e06000 00:00 0 b7e09000-b7f20000 r-xp 00000000 03:01 5179128 /usr/lib/libxml2.so.2.6.27 b7f20000-b7f26000 rw-p 00116000 03:01 5179128 /usr/lib/libxml2.so.2.6.27 b7f26000-b7f39000 r-xp 00000000 03:01 2294480 /lib/tls/i686/cmov/libnsl-2.5.so b7f39000-b7f3b000 rw-p 00012000 03:01 2294480 /lib/tls/i686/cmov/libnsl-2.5.so b7f3b000-b7f3d000 rw-p b7f3b000 00:00 0 b7f3d000-b7f3f000 r-xp 00000000 03:01 2294474 /lib/tls/i686/cmov/libdl-2.5.so b7f3f000-b7f41000 rw-p 00001000 03:01 2294474 /lib/tls/i686/cmov/libdl-2.5.so b7f41000-b7f66000 r-xp 00000000 03:01 2294476 /lib/tls/i686/cmov/libm-2.5.so b7f66000-b7f68000 rw-p 00024000 03:01 2294476 /lib/tls/i686/cmov/libm-2.5.so b7f68000-b7f77000 r-xp 00000000 03:01 2294779 /lib/tls/i686/cmov/libresolv-2.5.so b7f77000-b7f79000 rw-p 0000f000 03:01 2294779 /lib/tls/i686/cmov/libresolv-2.5.so b7f79000-b7f7c000 rw-p b7f79000 00:00 0 b7f7c000-b7f83000 r-xp 00000000 03:01 2294780 /lib/tls/i686/cmov/librt-2.5.so b7f83000-b7f85000 rw-p 00006000 03:01 2294780 /lib/tls/i686/cmov/librt-2.5.so b7f85000-b7f8a000 r-xp 00000Cancelado (core dumped) ---------------------------------------- felipe@bl4ck:~/public_html$ gdb -q php Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". (gdb) r test.php Starting program: /usr/local/bin/php test.php [Thread debugging using libthread_db enabled] [New Thread -1212278368 (LWP 15257)] Warning: SimpleXMLElement::xpath(): xmlXPathCompOpEval: function foo not found in /home/felipe/public_html/test.php on line 5 Warning: SimpleXMLElement::xpath(): Unregistered function in /home/felipe/public_html/test.php on line 5 Warning: SimpleXMLElement::xpath(): xmlXPathEval: 2 object left on the stack in /home/felipe/public_html/test.php on line 5 *** glibc detected *** /usr/local/bin/php: corrupted double-linked list: 0x084afa90 *** ======= Backtrace: ========= /lib/tls/i686/cmov/libc.so.6[0xb7c73b2a] /lib/tls/i686/cmov/libc.so.6[0xb7c7550f] /lib/tls/i686/cmov/libc.so.6(cfree+0x90)[0xb7c78e30] /usr/lib/libxml2.so.2(xmlDictFree+0xec)[0xb7e3217c] /usr/lib/libxml2.so.2(xmlFreeDoc+0x1b9)[0xb7d938f9] /usr/local/bin/php(php_libxml_decrement_doc_ref+0x46)[0x808b3f6] /usr/local/bin/php[0x8161faa] /usr/local/bin/php(zend_objects_store_del_ref_by_handle+0x179)[0x828fce9] /usr/local/bin/php(zend_objects_store_del_ref+0x18)[0x828fd28] /usr/local/bin/php(_zval_ptr_dtor+0x4f)[0x8267fef] /usr/local/bin/php[0x827db38] /usr/local/bin/php(zend_hash_reverse_apply+0x57)[0x827dc27] /usr/local/bin/php(shutdown_destructors+0x50)[0x8267f50] /usr/local/bin/php(zend_call_destructors+0x30)[0x8274400] /usr/local/bin/php(php_request_shutdown+0x268)[0x8233c18] /usr/local/bin/php(main+0x36d)[0x82ebfed] /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc)[0xb7c23ebc] /usr/local/bin/php(xmlTextReaderConstName+0x145)[0x808a611] ======= Memory map: ======== 08048000-0839c000 r-xp 00000000 03:01 5360941 /usr/local/bin/php 0839c000-083b9000 rw-p 00354000 03:01 5360941 /usr/local/bin/php 083b9000-08618000 rw-p 083b9000 00:00 0 [heap] b7900000-b7921000 rw-p b7900000 00:00 0 b7921000-b7a00000 ---p b7921000 00:00 0 b7add000-b7b5e000 rw-p b7add000 00:00 0 b7b5e000-b7b65000 r--s 00000000 03:01 5194177 /usr/lib/gconv/gconv-modules.cache b7b65000-b7ba0000 r--p 00000000 03:01 5242899 /usr/lib/locale/pt_BR.utf8/LC_CTYPE b7bc1000-b7bcc000 r-xp 00000000 03:01 2261088 /lib/libgcc_s.so.1 b7bcc000-b7bcd000 rw-p 0000a000 03:01 2261088 /lib/libgcc_s.so.1 b7bcd000-b7bd1000 r-xp 00000000 03:01 2294771 /lib/tls/i686/cmov/libnss_dns-2.5.so b7bd1000-b7bd3000 rw-p 00003000 03:01 2294771 /lib/tls/i686/cmov/libnss_dns-2.5.so b7bd3000-b7bdc000 r-xp 00000000 03:01 2294772 /lib/tls/i686/cmov/libnss_files-2.5.so b7bdc000-b7bde000 rw-p 00008000 03:01 2294772 /lib/tls/i686/cmov/libnss_files-2.5.so b7bde000-b7be0000 rw-p b7bde000 00:00 0 b7be1000-b7be2000 rw-p b7be1000 00:00 0 b7be2000-b7bf5000 r-xp 00000000 03:01 5178599 /usr/lib/libz.so.1.2.3 b7bf5000-b7bf6000 rw-p 00012000 03:01 5178599 /usr/lib/libz.so.1.2.3 b7bf6000-b7c09000 r-xp 00000000 03:01 2294778 /lib/tls/i686/cmov/libpthread-2.5.so b7c09000-b7c0b000 rw-p 00013000 03:01 2294778 /lib/tls/i686/cmov/libpthread-2.5.so b7c0b000-b7c0e000 rw-p b7c0b000 00:00 0 b7c0e000-b7d49000 r-xp 00000000 03:01 2294471 /lib/tls/i686/cmov/libc-2.5.so b7d49000-b7d4a000 r--p 0013b000 03:01 2294471 /lib/tls/i686/cmov/libc-2.5.so b7d4a000-b7d4c000 rw-p 0013c000 03:01 2294471 /lib/tls/i686/cmov/libc-2.5.so b7d4c000-b7d4f000 rw-p b7d4c000 00:00 0 b7d4f000-b7e66000 r-xp 00000000 03:01 5179128 /usr/lib/libxml2.so.2.6.27 b7e66000-b7e6c000 rw-p 00116000 03:01 5179128 /usr/lib/libxml2.so.2.6.27 b7e6c000-b7e7f000 r-xp 00000000 03:01 2294480 /lib/tls/i686/cmov/libnsl-2.5.so b7e7f000-b7e81000 rw-p 00012000 03:01 2294480 /lib/tls/i686/cmov/libnsl-2.5.so b7e81000-b7e83000 rw-p b7e81000 00:00 0 b7e83000-b7e85000 r-xp 00000000 03:01 2294474 /lib/tls/i686/cmov/libdl-2.5.so b7e85000-b7e87000 rw-p 00001000 03:01 2294474 /lib/tls/i686/cmov/libdl-2.5.so b7e87000-b7eac000 r-xp 00000000 03:01 2294476 /lib/tls/i686/cmov/libm-2.5.so b7eac000-b7eae000 rw-p 00024000 03:01 2294476 /lib/tls/i686/cmov/libm-2.5.so b7eae000-b7ebd000 r-xp 00000000 03:01 2294779 /lib/tls/i686/cmov/libresolv-2.5.so b7ebd000-b7ebf000 rw-p 0000f000 03:01 2294779 /lib/tls/i686/cmov/libresolv-2.5.so b7ebf000-b7ec2000 rw-p b7ebf000 00:00 0 b7ec2000-b7ec9000 r-xp 00000000 03:01 2294780 /lib/tls/i686/cmov/librt-2.5.so b7ec9000-b7ecb000 rw-p 00006000 03:01 2294780 /lib/tls/i686/cmov/librt-2.5.so b7ecb000-b7ed0000 r-xp 00000000 03:01 2294473 /lib/tls/i686/cmov/libcrypt-2.5.so b7ed0000-b7ed2000 rw-p 00004000 03:01 2294473 /lib/tls/i686/cmov/libcrypt-2.5.so b7ed2000-b7ef9000 rw-p b7ed2000 00:00 0 b7f08000-b7f0a000 rw-p b7f08000 00:00 0 b7f0a000-b7f23000 r-xp 00000000 Program received signal SIGABRT, Aborted. [Switching to Thread -1212278368 (LWP 15257)] 0xffffe410 in __kernel_vsyscall () (gdb) bt #0 0xffffe410 in __kernel_vsyscall () #1 0xb7c37df0 in raise () from /lib/tls/i686/cmov/libc.so.6 #2 0xb7c39641 in abort () from /lib/tls/i686/cmov/libc.so.6 #3 0xb7c6d9bb in ?? () from /lib/tls/i686/cmov/libc.so.6 #4 0x00000005 in ?? () #5 0xbfa9be0c in ?? () #6 0x00000400 in ?? () #7 0x00000002 in ?? () #8 0x08277c21 in zend_register_functions (scope=0x828fce9, functions=0x8161faa, function_table=0xbfa9e9a7, type=-1210902870) at /home/felipe/php-5.2.4/Zend/zend_API.c:1705 #9 0xb7c73b2a in ?? () from /lib/tls/i686/cmov/libc.so.6 #10 0x00000002 in ?? () #11 0xb7d347a8 in ?? () from /lib/tls/i686/cmov/libc.so.6 #12 0xbfa9e9a7 in ?? () #13 0xb7d316aa in ?? () from /lib/tls/i686/cmov/libc.so.6 #14 0xbfa9c36f in ?? () #15 0xb7d316aa in ?? () from /lib/tls/i686/cmov/libc.so.6 #16 0xbfa9c36f in ?? () #17 0xb7d316aa in ?? () from /lib/tls/i686/cmov/libc.so.6 #18 0xb7d4c120 in ?? () from /lib/tls/i686/cmov/libc.so.6 #19 0x00000021 in ?? () #20 0xb7d4c138 in ?? () from /lib/tls/i686/cmov/libc.so.6 #21 0xb7d4c144 in ?? () from /lib/tls/i686/cmov/libc.so.6 ---Type <return> to continue, or q <return> to quit--- #22 0x08603358 in ?? () #23 0xb7d4c150 in ?? () from /lib/tls/i686/cmov/libc.so.6 #24 0x00000070 in ?? () #25 0x00000002 in ?? () #26 0xb7c74fd1 in ?? () from /lib/tls/i686/cmov/libc.so.6 #27 0x30000040 in ?? () #28 0x66613438 in ?? () #29 0x00303961 in ?? () #30 0xb7d4aff4 in ?? () from /lib/tls/i686/cmov/libc.so.6 #31 0x084c71a8 in ?? () #32 0x084e71b0 in ?? () #33 0xbfa9c400 in ?? () #34 0xb7c7550f in ?? () from /lib/tls/i686/cmov/libc.so.6 #35 0x00000040 in ?? () #36 0xbfa9c3c8 in ?? () #37 0xb7d3481c in ?? () from /lib/tls/i686/cmov/libc.so.6 #38 0xb7d4c120 in ?? () from /lib/tls/i686/cmov/libc.so.6 #39 0x086018a0 in ?? () #40 0x086018d8 in ?? () #41 0x00000000 in ?? ()